CVE-2026-8698

Vulnerability

The vulnerability exists in the as_get_coin_shortcode() function in functions.php of the Cryptocurrency Prijsvergelijking Widget plugin for WordPress version 1.0. The function renders the width and height shortcode attributes directly into the style attribute of an ` element without applying output escaping such as esc_attr(). This allows an attacker to terminate the style attribute and inject arbitrary HTML attributes, leading to stored cross-site scripting (XSS). The vulnerable code is located at lines 138 and 157 of functions.php` [1][2].

Exploitation

An authenticated attacker with contributor-level access or higher can create or edit a post or page and insert the vulnerable shortcode with a crafted width attribute, for example: 100px;"onload="alert(1)" x=". This value breaks out of the style attribute and injects an onload event handler into the `` tag. When any user visits the page, the injected script executes in their browser.

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts into pages. These scripts execute in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. The attacker gains the ability to perform actions on behalf of the victim within the WordPress site.

Mitigation

As of the publication date (2026-05-27), no fixed version has been released. The plugin version 1.0 is affected. Users should disable the plugin until a patch is available. There is no known workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.